Business continuity and disaster planning has been a focus of the Securities and Exchange Commission in its examinations of Registered Investment Advisors in recent years, following the impact of disasters such as Hurricane Sandy on advisors in the affected region, as well as increased concern over cybersecurity risks. Investment advisors generally have business continuity plans (BCPs) in place; however, the degree of specificity and robustness of these plans vary significantly across the industry. The SEC’s recent proposal to require formalized plans that sufficiently address specified criteria (Rule 206(4)-4) will require RIAs to elevate their planning and risk mitigation efforts.
The 60-day comment period for this rule just ended. While there may be some small changes to specifics before the regulation is finalized, feedback from various industry parties was mostly supportive of the general direction of the guidance, so RIAs should not expect significant changes from the proposal. A significant point of contention is the inclusion of the rule in the anti-fraud section of the Investment Advisers Act instead of with more operational directives.
Advisors with sophisticated business continuity and transition plans already in place should revisit them to ensure they are tailored to the company with sufficient specificity and contain all essential elements of the SEC proposal. These include: maintenance of critical systems and protection data, alternate physical locations, communication plans, review of third-party services critical to operations and a plan for winding down or transitioning the business.
Advisors with less robust plans should:
- Assess current systems and processes, focusing on the reliance on both technology and external vendors for critical functions, such as trade execution and processing, and custody of customers’ assets. This analysis should identify the core business systems and inventory, the required systems, data, supplies, facilities and personnel needed to execute those functions.
- Develop and document a plan that identifies potential disaster or disruption scenarios. Rank them in terms of probability and impact, and lay out detailed procedures for getting the business’s critical functions back up and running as quickly as possible with minimal losses.
- Implement a documented plan, which includes employee training, vendor contracting, and getting new safeguards, redundant technologies and alternate physical locations up and running.
- Test the plan to ensure effectiveness. Tests can vary in complexity and may involve restoring data and systems to a hot site, executing drills with employees, or conducting simulations to assess the completeness of disaster recovery plans and employee understanding. Advisors need to review their business continuity plans at least annually to ensure they are operating properly and address any changes to the business or industry.
Costs of compliance with the new rule will include both hefty one-time upfront costs and lesser ongoing annual costs. Some of the costs may be passed on to investors down the line through higher fees. The SEC staff has estimated that the upfront costs will range from $30,000 to $1.5 million per advisor and will take from 50-500 hours. Whether RIAs will be at the lower or higher end of these ranges will depend on the size and complexity of the advisor’s business, as well as how comprehensive their existing plan is. The SEC acknowledges that this will be a costly transition for many but believes that the benefits to the market will significantly outweigh the costs. A drawback is that increased costs may create barriers to entry or cause some advisors to exit the market due to already low margins, reducing overall competition.
Compliance consultants will be in high demand over the next couple years as RIAs enhance their existing plans and ensure compliance with the new rules. Good legal counsel is of course key, and audit firms experienced with business continuity and disaster planning are valuable partners in this process as well.
This clarification of the SEC’s expectations on business continuity plans may help advisors to be better prepared for SEC examinations, as previously there was uncertainty on what exam staff were specifically looking for.
As a fiduciary, the investment advisor must always be focused on mitigating risk and protecting customers’ assets. A strong business continuity and transition plan is integral to achieving this and should be a key objective of companies and chief compliance officers in particular. This new rule will result in some added costs, but its guidance is expected to be beneficial over the long run. Moreover, its principles-based approach will allow advisors to tailor the plan to address firm-specific operations and risks.
Katelyn Kogan is an audit manager with New York-based accounting firm WeiserMazars, and Carlos Martins is a partner with the firm.